Resubmissions
03-08-2024 19:41
240803-yd9fjsxgpb 1003-08-2024 19:38
240803-ycw4tsxgkh 703-08-2024 19:34
240803-yadvgatajk 1013-05-2024 19:48
240513-yh3tkacb38 10Analysis
-
max time kernel
226s -
max time network
228s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-08-2024 19:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://malwarewatch.org
Resource
win11-20240802-en
Errors
General
-
Target
http://malwarewatch.org
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 2096 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 raw.githubusercontent.com 76 raw.githubusercontent.com -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\7ev3n.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\system.exe\:Zone.Identifier:$DATA [email protected] -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2104 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 400 msedge.exe 400 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 4756 msedge.exe 4756 msedge.exe 3696 identity_helper.exe 3696 identity_helper.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3164 shutdown.exe Token: SeRemoteShutdownPrivilege 3164 shutdown.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe 960 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3448 PickerHost.exe 2216 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 1244 960 msedge.exe 81 PID 960 wrote to memory of 1244 960 msedge.exe 81 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 3632 960 msedge.exe 82 PID 960 wrote to memory of 400 960 msedge.exe 83 PID 960 wrote to memory of 400 960 msedge.exe 83 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84 PID 960 wrote to memory of 4644 960 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://malwarewatch.org1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8dc43cb8,0x7fff8dc43cc8,0x7fff8dc43cd82⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3504 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,9398531916003259307,11062167955276901856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:3652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4648
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1820 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3120
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:652
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3448
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5302c3de891ef3a75b81a269db4e1cf22
SHA15401eb5166da78256771e8e0281ca2d1f471c76f
SHA2561d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58
SHA512da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33
-
Filesize
152B
MD5c9efc5ba989271670c86d3d3dd581b39
SHA13ad714bcf6bac85e368b8ba379540698d038084f
SHA256c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3
SHA512c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7
-
Filesize
106KB
MD599f7b59bb69d6870454d0e3b02b058fc
SHA1e8a23b7f7d941b128e378895861c79d501b2e5d1
SHA2569d0dbc4343e9201276b332eb7a0de1c3efd103f86547080a5e6162ffc5f21e0c
SHA51216bce0bba157c0b45b28a90375075739ef702a3f2709708a4adf4e6af99ee343cc2b25d752968b6053cbf5317dc30fbd6713bdae825de58d9f06bd2192ef92db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD506647fabaeebb0b94cb13961e93b2205
SHA1c663d7f4a83134cd6a7420ef6aa4fefd9b0bf7a4
SHA2566f1315f937857750137f39d7004640713ab95929900f0ef6a035b0d9bad1bcaa
SHA51238a0ffbfe88568727ce33e3ecf17f3f1f450738136b5aea2fa88729085235c3905d8e9d3d88f059c7e59ae201c08a4b68b36d128caed09bb58284cc7004d0701
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD55e5db9f44807512baf16fcdb255d020e
SHA1368599cd223685a7ca82fa05b1ed1c78eaee29aa
SHA256c9a11ced82df5d9bf9fd12d88177750684cd51834962b16d47583aaf9c7ca8f8
SHA512b977e034b3ecb0b674fe514d64d5736b52f683100029d1ba96e3c280ae8a97b2cdba56ded7808939c63d44c4592e2419d53b5a491b06da3237ae861fb8bac8e1
-
Filesize
3KB
MD562ad22dffa4f36fd201052beb2e3d104
SHA13b5316dc6525b220e78d49a828386b940458a228
SHA256ed36cc6f7dd0259e262104c0ea75389c3eebce6b30b1d17bbc3c50c8150a2d39
SHA5121350c1463a4daaf6e1abceca9ab741a5f26401fd6c962069ebcbea0cc3625778f49fb702219cbcf1f22fd152da5f595814323f2c013aebc1641e1733bf7c1f18
-
Filesize
5KB
MD5b5661f308d032e06dd8ccca9a1c179c1
SHA103ed57aec73a438a20ab0d1282dccc8a0747cd93
SHA2564c1f44adbd36c4c8837259b8581c16dd14023f725780bc74c4127ffd736af25b
SHA512e1611556e44f9c24b5283880e8a30d25f9aecaab2674c7a40d2a6b41cd1768ad8d2b816117f9eca38be5331822c0a45f94848b225bfe6e4c13cef408b49cecfe
-
Filesize
7KB
MD578ae297564faa8479d7d0d2691192a39
SHA1e4311545dd7c39295fa5811c2679a3d6d703a4a9
SHA25695a7b2d8afe302c1c71ee28328afc23c0d5618a314b84e60148122506cc31a81
SHA512eb6d92c2d0187e06689ab636f238101f10ec13d0635d870853581884a057eaa7e25f1fcd5515bb0fae7a6085a3551dee602f2c9e942b8cda5de2444e4d6b574c
-
Filesize
6KB
MD51e9a7f3b685bde97d9d90b505e8bd8da
SHA1aa127dbaf45f0b0ea6e7125239de4b4b1b54e0fa
SHA2567586d4f164917eefde498f9478bbecd582302da91153643155e777cd0c56af55
SHA512efb5fa95e52dd0509ab68901c9ba9dd85a82a503e77a39d4d967c4717f6c10653979ea2756e9865520578fa3e865d9f2bd097c5f377e01a6378492325f70b001
-
Filesize
1KB
MD531507c37f1b42726ddf2c71bd221fe1f
SHA1f47ea1c6276e9e213a0f0a211908d1c08969d240
SHA2569f240a27426511bacf583509c4e08f1ffbca0331283f218c792d3b41efd696b4
SHA512960893c7874e351dfbd87f1622f8fb3315a6928daad7370a0e897d76a4df91e8f87ea5245c826ffc6d0b81ac10c64687484bc81ac206796c298de804c83afb8c
-
Filesize
1KB
MD530455a977158f600b3a649b01ac80c0f
SHA1fd310652f169417bdb6c4287be321870c5d4d307
SHA256a05b14150aebdaa18de0a519b7b2f736ca65b44fba4098474ae85adf44906101
SHA51297a8f259c85a532b14956c26635bf84f51d1e9a06dbb44c45d8f9e01e34ff2ef2030ad11f4c8d9554bd2a08c9c8f5b58eda59912eb4a55325a53a14caf64cccc
-
Filesize
1KB
MD52e04ef2351ce3d3555d4c800c899c024
SHA10d67f40f438e73d197b843088cd48761c0f5bc41
SHA2567795512bdc6620f9431c57570bc9f84fdb0f3a00cea0380920c90cde6c448980
SHA512c56b214b8a851bea9a5cbba4b2656de1b21c3655c8ab1ce9d0b64a8a7e9542de713bccd3f724e6efeb4878453a42da8ed997dc7d370eda78a916984f423bdf46
-
Filesize
1KB
MD534bbc341e0d11783a57ac862941955c3
SHA19754b9ce2cd8e7a3eeecaa62987a1ce2fc689b62
SHA256499316fce75599341d8be7942034489383581d6b8f8f8e229025d3476ad2cc2e
SHA5123fcce00ce0e77278cc6bd77c398ab8edd33f0fe4c5ac6237f8624e0246ce3bc12b065cf55f59b5289e46925139973379b5c5580f7028324140c31414e2f57cb7
-
Filesize
1KB
MD514d6bdc81a2e5bb95b6b887be0dd843d
SHA19870e54a08185c6ec070f9d2764ef440c722c345
SHA25624faacce58f5ca7ab2899f248092df306fdafcd1596610e31f324f2d73845e7c
SHA51211382d453e6049b3cdc62d651f6bd33404bc1e8ffc211cd24ce6856d272dedc0f911d6486fb0ef4f0d16d79ee9e9719af24f598c5fc48567a5406fdc8661679c
-
Filesize
1KB
MD51fcf63c4b84d595d71495aeac20290c7
SHA193453c1a58d4395a3f1ebae0e9cc6b14c87bc31d
SHA256735e0811268018b54dfeedafdca589827978c177fe43666aebec2004eb144e76
SHA512c069c058ba04cd9267803e21b62aee4720b12419cb3fbda4c41c779adad130ceed0e3d44397f69cafc28d622fe95da5c1087f8b53f65fa65faf12320156fbf80
-
Filesize
1KB
MD5417e8acecb141f71a6f35cf19c874ea5
SHA1cafcd8af7fb4e6b03797fd657e716bccf0b9f7ce
SHA2561da647f8160d3ebd59dda77b50cafdb41fcba9d4d8a6487d50fdd3ca31d4132b
SHA512f25cd608f624ba5e25371a3a9ca6f923a3c489c43801c44da7e6db420803948deb60842d9406e28cc9c3852b81011bd710ac7d644f55878024c4c085b6495ce3
-
Filesize
1KB
MD53542a8a0e0b5359c9095328655830a36
SHA10b0b56327b334d421ac098baf6f77b7034fc73ef
SHA2560424c1267091fad37a3aea8633a1c23241b6788067eab5b0c116d5b331127219
SHA5129854f8e564a846f391e15eea0247218f04f71a04de7aeb03f262b3031656e8d685bfabc140fa00decc3b70bf4ebd231243a8a0965fbaefb2ee2ad8116dd98a0f
-
Filesize
1KB
MD527f59aa0faff0bfe4ab23b9b2c756369
SHA1965f2b047813824b75a54dfb5b5c45220fbf520a
SHA256f27b4c2d8498c4ec27e023991778c34473c6deb258fba74582dbf7523b60e785
SHA51291fb3dd1a3cf4b84776d849be8f647712568130d36c46c019193ffbdff2b6a046ed474a598efc34c3b0c152dbaec23b2a37f887af5f450ace68bc6067e7a06ff
-
Filesize
1KB
MD58978eee5ef49986694206fc87633c3e6
SHA1c9bef9444181af4fcdbbf4edd499242a323f760f
SHA2562711996acfc7e9b1f265bac39f3dcc9cc85aad0ac903d9d1f42edec16606f4af
SHA512bbcf7bc9ece3175c27b12c6b80db2f57bf6bcf0202c91b7614f0f90d7fe5dba5b7ee965d16c0e7c6c78eb584a29457085c262965d7aaa1408aa09406f1fcf870
-
Filesize
1KB
MD542142d934f87c5e989ca873c08afda2b
SHA1b2eb4875e4774a50bbfaf1f99c4d319de6d5b820
SHA256dff6b3e8693d43e7584a327fbde1b96cf5f350791478068d3c564144f2f2e1be
SHA51225aaf7d21efa1b238e8aae6ea5ca454de4dd2c059c69920aa65dafae70af22d2a31dbd6563e0b55d7e57ef76087a102d022937af7a297202576618495b6b151a
-
Filesize
1KB
MD5f218420efe2a0c296ab0c50c4cb7fe1d
SHA1e08b8ac8858bbb55203b11ba4b2318cf647c0868
SHA2560ff4621477be85079d92eacd1ffbfec86578cee4573ca6d4b1f87cdbb4840c30
SHA5124770a2a673c67d83c6286f2f69c3649059e9da678f14eba228974c05bcfa67f6ddffe3e482b116f7f6456af3a979cb4fb55dfd03f6c43843ef936a4c6dfbac5a
-
Filesize
1KB
MD57b4aa7f109be10b7aadaf4576e0af9ec
SHA1efe28f8f429120ccc8f2fbb92907dcf1afe45c84
SHA2560979a1e12116105d088f7510119af3b27658e9d6f65489646f6062863bde9cb7
SHA512450d7e74b8045213f44a82c4fb271c5cfd24a7d2f5ed5d5e6a13a8491733f2ba8937cbf4fced5ec36ec7ea1514c7156520a9fc7fbff15587cfff61db444c7638
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD595e10db3b6cf33ab01f622cf83368988
SHA1a678e0b6209e04576f2d11a931f5ab8d307be90e
SHA256b4f7beba1412b48ed9ffd5744ba4eef531816e0e3db8d7a5f194e924555da1a4
SHA512777542f50b89f30b738b615c696deb9c4d813d2e1f2407ba9e81cf2a47af3f27324868092394c7643378ef10dd58d8eaad0a443eda310d7f44fd8163b9112ea0
-
Filesize
11KB
MD524e43e0a5ac4ea1f5a2c3942c9f2438c
SHA17a871188e21cee67cde58a04e187b001cc4f57fb
SHA2562166a648253f1a939fc39ceb0dd54db1f7b40687183ed7458f9acb5e28e68364
SHA512610a28dfa995ade13872e920049b394cd79b7fa32528d49ed3967f20e7050b1bfb73ba3e2f4f957cbd2426218d700591a43d3586b581220eec0f7d0e280f30df
-
Filesize
92B
MD5ec326bbb3bccbdc24ecbca52d7727227
SHA16d230c114148c2c62d1ee91fcf6b9575194ebea2
SHA256e430f2a59f3cdd5474ecbe58a9d3a2414813e84f3124ecbd4d9180802e7cc57a
SHA51259768d77a6360d2bb7f161ccc747635516ee374fd158ddd6163802559cf02bd6843087f04c26f3471ba8472f8b2219564b6e998f705770105672db86747e5525
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
139KB
MD5c6f3d62c4fb57212172d358231e027bc
SHA111276d7a49093a51f04667975e718bb15bc1289b
SHA256ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c
SHA5120f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6